We live in interesting times in local government IT. From ransomware that recently shut down a major American city to near-constant attacks from foreign actors determined to sow chaos, an effective cybersecurity program has never been more critical.
Here in King County, the most populous county in Washington state, we have revamped and reinforced our defenses against the onslaught of security challenges that face local governments daily. While our counter tactics constantly morph as threats change and new threats emerge, a snapshot into our thinking may well help other entities in their efforts.
The stakes are high: local governments are literally in the crosshairs of rogue nation-states and malevolent groups bent on disruption. Depending on the actor, they may seek monetary gain. And with increasing frequency, hackers attempt to disrupt local services. We’re acutely conscious they’re seeking a backdoor to snag a bigger prize: Our critical services and privileged accounts.
Everyone in local government focused on IT/cybersecurity is all too aware of what happened during a ransomware attack last March in Atlanta. That attack crippled the city for days, shutting down everything from online bill-paying to the ability of police to file reports. Officials there conceded publicly they had underfunded and undervalued cybersecurity threats. Pre-Atlanta, many local governments knew theoretically that such an attack could happen; however, this event brought home the cybersecurity landscape we are in today and underscored the real, changing dynamics of cyber disruption.
To counter such threats, King County leadership enabled our security organization to retrench our approach in all facets of the “before, during, and after” cycle of cybersecurity. We recently reorganized our security group and adopted risk components and controls into our security posture. Our ISO-based risk framework allows us to take audit findings and understand our unique issues and target those opportunities with dollars and resources, with less significant findings treated as appropriate. We follow an enterprise technology strategy that favors integrated solutions over point solutions. That drives solutions to a larger suite of capabilities that address our needs in a comprehensive manner, not the least of which is supportability and seamless aggregation of events. These integrated solutions are also leveraging threat intelligence at a scale that we simply could not provide ourselves.
In the future, I believe it’s critical to for all local governments to organize their efforts in a way that brings risk into the conversation—not all findings need to be remediated. You can consciously accept risk; however, you need a consistent method and framework to consistently assess it. Having a security program that’s formalized based on standard frameworks and controls sets, with an active internal audit group, is crucial to a reduction of municipal risk over time.
"I believe it’s critical to for all local governments to organize their efforts in a way that brings risk into the conversation— not all findings need to be remediated"
I want to also consider the challenges faced by my counterparts at smaller municipalities. We serve a population of more than two million county residents in a high-tech region home to Microsoft, Amazon, Nintendo, Expedia, and many other industry leaders, and even with that sophistication and a healthy local economy, it can be challenging to achieve the resources to achieve our goals. Smaller public organizations can face an almost impossible task securing funding and often do not have the scale, skills or expertise to assess the massive risks and vulnerabilities that they face, along with ways to effectively identify solutions for cyber resilience.
It is essential that organizations adopt formal enterprise vision and strategy followed by making informed choices with technology and organizational transformation to execute on their adopted strategy. The cybersecurity landscape, coupled with the emergence of enterprise, cloud-based platforms will lead municipalities to rethink the technology they buy and how they operate. I’d urge them to leverage cloud infrastructure and integrated security platforms where practical, reducing their reliance on on-premise infrastructure and customized, home-grown solutions.
At the risk of being called a futurist, I predict that soon, smaller and mid-sized municipalities will achieve scale by working together and consolidating core IT—and security— services across city and county lines. One example of this strategy here has been in the e911 services space. Several suburban cities and counties—including King County and its cities--forged partnerships to create the needed scale for E-911 emergency call handling. It’s been very successful.
In short, there are many methods and approaches to reducing risk in your environment. No single path is the right one to take—each environment is different and needs an approach tailored specifically to that environment. We have a high confidence that our control framework approach here at King County will scale out for years to come and significantly reduce our overall risk year-over-year.
Our security transformation was possible due to the efforts of multiple stakeholders--we didn’t forge ahead by ourselves. So partner with your executive to make your case. Align with the business units and council members and do the necessary trench work to achieve awareness and support. Neither manage up nor down. If possible, achieve consensus before you enter the council chambers.
It’s complicated, I know. You need a vision and purpose, and you need to manage that vision and purpose effectively to produce tangible outcomes. If you’re inclusive and get the right people in a position where they can make the right plays, then you can succeed in achieving effective enterprise-wide change.